Device and method for protection against stack overflow and franking machine using same

ABSTRACT

The invention concerns a method for protecting sensitive data against overflow in a stack, memory space reserved for part of a program. Said method comprises an operation which consists in assigning a stack to each program part, during which the most upstream stack relatively to the displacement direction of an indicator in a stack, is assigned a task for operating on said sensitive data. Preferably, said method comprises the execution of a single task operating on said sensitive data.

BACKGROUND AND SUMMARY OF THE INVENTION

“A system for and a method of protection against stack overflow in amemory and a franking machine employing them”

The present invention relates to a system for and a method of protectionagainst stack overflow in a memory and a franking machine employingthem.

It applies in particular to franking machines provided with a programexecuting in a multitasking environment and more generally to protectingsensitive data.

In a franking machine, some tasks use amounts representing sums ofmoney. Correct execution of each of these tasks of a program must beguaranteed. Correct execution means that a task executes in its stack.The stack of a task corresponds to a memory space that is reserved forit. In other words, the invention aims to prevent sensitive data beingdegraded or modified inopportunely. It is therefore essential toguarantee that no stack overflows outside the memory space that isallocated to it.

There is no certification of no stack overflow of a task in prior artmultitasking programs using electronic memories.

To this end, the present invention aims to place the stack including themost sensitive data in the most upstream position in the memory spaceused for the stacks of the tasks, relative to the direction of movementof a pointer in a stack.

Accordingly, even if another stack overflows, its pointer cannot reachthe stack that contains the most sensitive data.

A first aspect of the invention provides a method of protectingsensitive data against overflow of a stack, i.e. of a memory spacereserved for a part of a program, characterized in that it includes anoperation of allocating stack to each program part, during whichoperation the most upstream stack, relative to the direction of movementof the pointer in a stack, is allocated to a task operating on saidsensitive data.

Accordingly, if another stack overflows, it is in the upstream todownstream direction that data can be disturbed, with no risk ofdisturbance of the sensitive data.

In particular, the sensitive data can represent sums of money.

According to particular features, said method includes the execution ofa single task operating on said sensitive data.

A second aspect of the invention provides a device for protectingsensitive data against overflow of a stack, i.e. of a memory spacereserved for a part of a program, characterized in that it includesmeans for allocating stack to each program part adapted to allocate themost upstream stack, relative to the direction of movement of a pointerin a stack, to a task operating on said sensitive data.

The invention also provides a franking machine characterized in that itincludes a device as succinctly described hereinabove.

The invention also provides:

means for storing information readable by a computer or a microprocessorstoring instructions of a computer program, characterized in that itenables to implement the method according to the invention as succinctlydescribed hereinabove, and

partly or completely removable means for storing information readable bya computer or a microprocessor storing instructions of a computerprogram, characterized in that it enables to implement the methodaccording to the invention as succinctly described hereinabove.

BRIEF DESCRIPTION OF THE DRAWINGS

The above device, the above franking machine and the above storage meanshave the same advantages as the method succinctly described hereinabove,which are not described again here.

Other advantages, objects and features of the invention will emerge fromthe following description, which is given with reference to theaccompanying drawings, in

DETAILED DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a franking machine employing the stack overflow detectiondevice and method in accordance with the present invention,

FIG. 2 is a diagram showing an electronic circuit incorporated in thefranking machine shown in FIG. 1, and

FIGS. 3A and 3B show a memory organization in accordance with thepresent invention, respectively before and after a stack overflow.

The franking machine 1 shown in the drawings includes a device forprinting a franking mark and an optional destination address of theenvelope on a flat object such as a letter 2.

To print the franking mark in the standardized place provided for thispurpose, the letter 2 must be passed through a corridor 5 in the machine1 which is delimited by members fastened to the frame, respectively asliding support 6 which forms the ceiling of the corridor 5, a table 7which forms its floor, and a ramp which forms one of its lateral limits.The corridor is open at the end opposite the ramp.

To insert the letter 2 into the corridor 5, the letter is placed on thepart of the table 7 which projects on the insertion side (the side seenon the left in FIG. 1), after which the letter is inserted into thecorridor 5, as shown in FIG. 1, until it is driven by means provided forthis purpose in the machine 1. The franking mark is printedautomatically while the letter 2 is driven along the corridor 5, thefranked letter being expelled from the machine at the other end of thecorridor 5 (the end seen on the right in FIG. 1).

For driving the letter 2, the machine 1 includes two rollers 9 and 10,each passing through an opening in the table 7, and respective pressurerollers 12 and 13 for the rollers 9 and 10, each passing through anopening in the support 6.

The rollers 9 and 10 are mounted so that they can rotate relative to theframe of the machine 1 through suspension means 14 showndiagrammatically in FIG. 1.

The pressure rollers 12 and 13 are mounted on the frame of the machine 1so that they can rotate but are not suspended from the frame. Anelectric motor, not shown, is used to drive synchronous rotation of thepressure rollers 12 and 13, for example by means of a belt (not shown)running around three pulleys respectively carried by the motor, thepressure roller 12 and the pressure roller 13.

Because the suspension means 14 urge the rollers 9 and 10 toward thesupport 6, and therefore toward the pressure rollers 12 and 13, therollers 9 and 10 are driven by friction against the pressure rollers 12and 13, either directly or through an object passing through the machine1, such as the letter 2.

When the letter 2 is inserted into the corridor 5 in the manner shown inFIG. 1, it eventually encounters the roller 9 and then the pressureroller 12, which drives it in the direction indicated in FIG. 1 by thehorizontal arrow oriented from left to right. At the same time, theroller 9 is lowered as the letter 2 is inserted between the rollers 9and 12. The letter 2 therefore moves forward in the machine 1 with itsface 4 to be printed pressed against and sliding along the surface 17 ofthe sliding support 6.

The machine 1 includes printing means 19, shown quite diagrammaticallyin FIG. 1, for printing the franking mark in its correspondingstandardized place and/or the destination address in its correspondingstandardized place.

Generally speaking, the printing means 19 apply the franking mark whilethe letter 2 or the object to be franked is traveling through themachine 1 with its face to be printed pressed against the surface 17 ofthe sliding support 6, the printing means 19 being located between thepressure rollers 12 and 13.

In the example shown, the printing means 19 are mounted directly on theframe of the machine and are therefore fixed relative to the slidingsupport 6.

In order for the printing means 19 to be controlled synchronously withforward movement of the object in the machine, a sensor (not shown) isprovided to detect the presence of the object and triggers a printingprocess that is then executed automatically.

To be more precise, a first sensor causes the motor (not shown) to bestarted when an object begins to be inserted into the machine 1 and asecond sensor (not shown) starts the printing process when the objecthas reached a predetermined location.

FIG. 2 shows an electronic control circuit of the device shown in FIG.1. The circuit 100 is shown in the form of a block diagram. It includes,connected by an address and data bus 102:

a central processing unit 106,

a random access memory (RAM) 104,

a flash programmable read-only memory (PROM) 105,

an input/output port 103 for receiving:

the weight of the postal object to be franked, and

detection of the postal object by each of the sensors (not shown in thedrawings), and for transmitting:

motor control signals, and, independently of the bus 102:

stepper motors 109,

presence detection sensors 110,

a display screen 108 connected to the input/output port 103,

scales 112 connected to the input/output port 103 and supplying bytesrepresenting the weight of a postal object, and

a keypad 101 connected to the input/output port 103 and supplying bytesrepresenting successively pressed keys of the keypad.

Each of the components shown in FIG. 2 is well known to the personskilled in the art of microprocessor circuits and, more generally,information processing systems. Those components are therefore notdescribed here.

The random-access memory 104 stores data, variables and intermediateprocessing results in memory registers which, in the remainder of thedescription, carry the same name as the data whose value they store. Therandom-access memory 104 includes in particular registers storinginformation representing the weight of the postal object to be franked,the format of the postal object currently being processed, the number ofpostal objects in the batch currently being processed, up-counter anddown-counter values that correspond to franking amounts already appliedand remaining to be applied before recharging the machine. The latterregisters employ techniques that are known in the franking machine art(during each franking operation, if the down-counter amount is greaterthan the amount of the franking mark to be applied, it is decremented bythe amount of that mark and the up-counter is incremented by the sameamount).

The read-only memory 105 is adapted to store the operating program ofthe central processing unit 106, in a register labeled “program1” andthe data needed for the program to execute.

The memory 105 referred to as a “random-access memory” is in fact arewriteable non-volatile memory (i.e. it is not erased when the systemis turned off). It can be rewritten only by authorized personnel usingsecure procedures, so that for the everyday user it is just like aread-only memory.

The central processing unit 106 is adapted to execute the program storedin read-only memory 105 and to organize the random access memory 104, asshown in FIG. 3A.

The software (program) of the franking machine is multitasking software,which implies allocation by the processor of a memory space (stack)associated with each task in the random access memory 104.

The following table shows, in decreasing memory address order, all ofthe stacks employed by the program, to according to the prior art:

stack of task n

stack of task n−1

.

.

.

stack of task 1

stack of task 0

stack of clock task

stack of background task

Note that the stack pointers move vertically downwards when stacking,reading or writing in the stacks.

It can be easily understood that, if a stack overflows, i.e. if a taskwrites outside the stack allocated to it, another stack, placeddownstream in the vertical downwards direction, is disturbed and thewhole of the operation of the franking machine is disturbed.

In the case of franking machines, values stored in the stacks represent“sensitive” values, such as sums of money. It is therefore essential toguarantee that the stacks cannot be violated.

In accordance with the present invention, in the embodiment describedand shown:

the stack which is allocated to the task which manipulates sensitivedata, in this instance sums of money, is placed at the highest address,a pointer moving in a stack in the direction of decreasing addresses,and

a single task manipulates data representing sums of money.

The single task is the one which, during each franking operation,verifies that the amount of the down-counter is greater than the amountof the franking mark to be applied and, if so, decrements thedown-counter by the amount of that mark and increments the up-counter bythe same amount.

To this end, an operation is effected to allocate a stack to eachprogram part, during which operation the most upstream stack, relativeto the direction of movement of a pointer in a stack, is allocated to atask operating on said sensitive data.

The stack start address for each of the other tasks of the applicationis then fixed.

The following table, corresponding to FIG. 3A, shows, in decreasingmemory address order, all of the stacks used by the program, inaccordance with the present invention:

stack of task n, manipulating data representing sums of money

stack of task n−1

.

.

.

stack of task 1

stack of task 0

stack of clock task

stack of background task

For example, the following table, corresponding to FIG. 3B, shows, indecreasing memory address order, all of the stacks used by the program,if the stacks of tasks n−1 and 1 overflow:

stack of task n

stack of task n−1

stack of task n−2 including overflow from stack of task n−1

.

.

.

stack of task 1

stack of task 0 including overflow from stack of task 1

stack of clock task

stack of background task

Note that there is no risk of the stack overflow reaching the sensitivedata, which are in the stack of task n.

What is claimed is:
 1. A method of protecting sensitive data againstoverflow of a stack of memory space reserved for a part of a program,said method comprising the steps of: allocating a separate stack to eachpart of a program; allocating a most upstream stack, relative to adirection of movement of a stack pointer in a plurality of stacks, to atask operating on said sensitive data.
 2. A method according to claim 1,further including the step of executing a single task operating on saidsensitive data.
 3. A device for protecting sensitive data againstoverflow of a stack of memory space reserved for a part of a program,said device comprising: means for allocating a separate stack for eachprogram part; means for allocating a most upstream stack of saidplurality if stacks, relative to a direction of movement of a stackpointer in said plurality of stacks to a task operating on saidsensitive data.
 4. A device according to claim 3, further including adata processing means for executing a single task operating on saidsensitive data.
 5. The device according to claim 3, wherein said deviceis a franking machine.
 6. The device according to claim 4, wherein saiddevice is a franking machine.